Successfully implementing a project in your OT (operational technology) environment, whether it’s for security, operations, compliance, or anything in between, starts by understanding what assets you’re dealing with. The assets on your network and their associated data can play a big role in understanding the scope of your project. Knowing what you’re working with can impact your plan and approach.
This is where effective asset inventory management comes in. An asset inventory documents all of the devices and software across your network along with any relevant data such as manufacturer, model, firmware, software version, patch, etc. Beyond knowing what you’re working with, maintaining an accurate asset inventory can be one of many requirements to maintain compliance with certain regulations like NERC CIP.
If your organization doesn’t have an asset inventory, or the one you have is out-of-date, this blog will cover different asset identification methods and what you need to know before launching any asset ID initiatives.
Finding Assets Across Your Network(s)
There are multiple ways to conduct asset discovery. One of the simplest (albeit probably one of the most inefficient), is to have someone or a team of people visit each location with a discrete network to physically count the machines and manually gather network data using netstat and verify that everything matches up in documentation.
This is typically as tedious, inefficient, and error-prone as it sounds. But if an organization has only a single network with a small number of assets, it might be the easiest and least complicated way to start building an asset inventory.
When it comes to more automated asset identification methods, there are generally two main routes an organization can take: passive and active asset identification.
Passive asset identification is often done by placing a device on your network to listen to the activity that’s already happening between devices. Passive methods can pull any of the data passing through the network into a database for further analysis, storage, or other places as your team needs.
Active asset identification typically involves sending network communications like a packet to devices on the network and waiting to see what responses come back. The response from the machine can often contain more data about the device than would normally be visible across operational communications on the network.
There are pros and cons to both methods. Ultimately, neither is a better way of getting relevant information, and the method you choose depends on the information needed and your specific environment.
Just getting started and want to get quick visibility into assets on your network? Check out SynSaber’s (free) OT PCAP Analyzer.
Passive? Active? Both?
When it comes to choosing either passive or active asset identification in an OT environment, it comes down to the level of detail you need and the requirements of your area and systems. Cybersecurity vulnerability management, for example, requires a different set of asset data than improvements for operational safety.
If you aren’t sure what devices might exist across different networks, passive methods can reliably identify any devices that are consistently communicating on the network. Passive asset ID can also pick up on transient, one-time events such as a device connecting and then disconnecting from the network.
If you need more detailed information about an asset that you know exists on a network, such as what patch it’s on, or what version of the software it’s running, an active approach may be faster, since this information isn’t usually sent in normal communications.
In some instances, it might be best to combine both passive and asset ID methods. Passive methods can be used to identify all the assets on the network while active methods can be used to query specific assets for more detail.
But some industrial machines are built so precisely for the operation they’re part of, that an unexpected request, even if it’s sent in a known protocol, could throw off normal operations or temporarily brick the machine receiving the request. Any active asset ID methods should be done under guidance from the operations team or the asset owners to minimize any potential impact.
Start with a Plan, Then Find the Right Tools
Whether the team is being tasked with specific compliance requirements, cybersecurity posture improvement, or operational safety, identifying and maintaining an inventory of assets is one of the key foundational steps in the process.
Productive asset identification in an OT environment starts with knowing the necessary level of detail and coming up with a plan to get this information without negatively impacting the environment.
If you’re looking for more information on getting started with building an asset inventory, the SynSaber team recently discussed all things asset ID, from different methodologies and what to consider as you get started.